Daily Brief

Singapore's Monetary Authority launched an application named COSMIC, in collaboration with six major commercial banks, to tackle money laundering and terrorism financing. Banks can share customer information based on predefined red flags that indicate potential criminal behavior, with protections in place for legitimate customers. Customers are encouraged to provide clarifications on their risk profiles or transactions to aid financial institutions in informed risk assessments. Chinese advanced persistent threat groups have targeted ASEAN countries for cyber espionage, focusing on sensitive information about diplomatic relations and economic decisions. Japan plans to introduce a domestic passenger jet by 2035 to recover from the SpaceJet program's termination. Alister Dias, Google Cloud's vice president for Australia and New Zealand, announced his departure to prioritize family and personal projects. Recent alliances in the APAC region include partnerships and tech deployments across various industries, enhancing capabilities like data analytics, weather forecasting, cyber defenses, payment solutions, and satellite remote sensing. The Chinese Commerce Minister met with the Dutch Trade Minister to discuss the impact of export sanctions on the semiconductor industry and seek ways to strengthen cooperation.

The US House of Representatives staff are prohibited from using Microsoft's Copilot AI tools until a government edition is released. Microsoft Copilot, which includes AI services for various applications, is considered a risk due to the potential leakage of sensitive data to unauthorized cloud services. The House's Office of Cybersecurity deemed the use of Copilot as a threat, leading to its removal and blockage from all devices. The ban aligns with previous restrictions on ChatGPT, reflecting growing concerns about data privacy and the need for "sovereign AI" tailored to national security needs. Microsoft is preparing a government edition of Copilot with enhanced security, which the House will review upon release later in the year. The caution is based on recent incidents, such as Samsung's accidental leak of secrets via ChatGPT and a bug in OpenAI's software that exposed parts of user conversations.

A backdoor was found in the open source compression library xz, specifically within liblzma, which is part of the package widely used in Linux distributions and macOS. The malicious code enabled remote code execution by altering the SSH daemon operation via systemd, and was discovered by a Microsoft engineer due to unusual latency issues. The affected versions of the xz package were used in several bleeding-edge Linux distributions, exposing SSH to potential remote exploitation. The sophisticated attack was a part of a supply chain threat and was almost an unprecedented intrusion enabler, potentially more impactful than the SolarWinds incident. Malicious commits were made by an individual called "Jia Tan," who spent nearly two years building trust before introducing the backdoor, and were part of an assumed long con. The incident highlights concerns regarding the security of open-source projects, especially those maintained by volunteers with limited resources and recognition. No conclusive evidence ties the attack to a nation-state, but the level of sophistication suggests the possibility of a well-funded adversary.

Google has implemented stricter spam filters that automatically block emails from bulk senders not adhering to enhanced authentication standards. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication are now mandatory for bulk senders targeting Gmail users. New measures require less than 0.3% spam rate, an easy unsubscribe process, quick unsubscription response, and accurate "From" headers, preventing Gmail impersonation. Non-compliant bulk senders will initially encounter temporary errors starting in April 2023, escalating to outright rejection of non-compliant traffic by April 2024. Bulk senders have been advised to adjust their practices during the temporary error phase before stricter enforcement begins. Google's AI-powered defenses claim to block nearly 15 billion unwanted emails daily, keeping spam, phishing, and malware at bay with a 99.9% success rate. The security update aims to simplify trust in email sources for users and eliminate vulnerabilities leveraged by cyber attackers.

OWASP disclosed a data breach revealing resumes with personal information due to a Media Wiki server misconfiguration. The breach affected members from 2006 to 2014 who had submitted resumes during the earlier membership application process. Exposed data included names, email addresses, phone numbers, physical addresses, and other personal information. The breach was discovered after OWASP received several support requests in late February. OWASP has contacted affected individuals, assuring that outdated information poses a limited risk and advising caution if details are current. As a response, OWASP disabled directory browsing, reviewed server configurations, removed resumes, purged caches, and requested Web Archive to delete exposed data. The nonprofit, focusing on software security, no longer collects resumes as part of the membership process, which reduces the risk of such exposure in the future.

MarineMax, a leading boat and yacht retailer, experienced a data breach following a cyberattack in March. Despite claiming no sensitive data storage in the affected systems, personal information of customers and employees was stolen. Cybercrime organization Rhysida, operating a Ransomware-as-a-Service, claimed responsibility and is demanding 15 BTC for the stolen data. Exfiltrated data, including personal identification documents and financial records, posted on the dark web by Rhysida. The revenue reported by MarineMax in the previous year was $2.39 billion, highlighting the scale of the affected organization. Rhysida is known for high-profile breaches, such as those against the British Library and Chilean Army, as well as a recent incident involving Sony's Insomniac Games.

Americans reported over $1.1 billion in losses due to impersonation scams in 2023, tripling the losses from 2020. The Federal Trade Commission (FTC) released data indicating 490,000 scams, with the majority involving business and government impersonations. Scammers commonly use phone calls, but email and text message schemes are increasing annually. The FTC's report indicates a trend of scammers impersonating multiple entities in a single fraud attempt, such as fake employees from popular brands transferring victims to fraudulent banks or government agencies. The top five scam types include both business and government impersonation, with scammers often using advanced techniques to deceive victims. The FTC emphasizes consumer education on scam prevention methods, like scrutinizing unsolicited messages and verifying the legitimacy of requests for money transfers. New rules will empower the FTC to pursue civil penalties and restitution in federal courts against scammers fraudulently using government or business identifiers.

Over 1.3 million PandaBuy customers' data has been leaked after a breach by two threat actors exploiting multiple vulnerabilities. PandaBuy, a platform for international shopping from Chinese e-commerce, has suffered a significant compromise of user data. Threat actors 'Sanggiero' and 'IntelBoker' claimed credit for the breach, indicating they used critical API vulnerabilities for access. The leaked data includes user IDs, names, contact details, order information, and addresses, partially available for purchase on a forum with cryptocurrency. Have I Been Pwned has confirmed the exposure of 1,348,407 accounts, although the actual number of unique affected users is somewhat lower than the 3 million claimed by the threat actors. There has been no official statement from PandaBuy, and there are allegations of the company attempting to censor discussions about the breach on social media platforms. PandaBuy advised customers to change their passwords and remain alert for scams resulting from the breach. The affected users' data has been added to Have I Been Pwned for notification purposes.

Nearly 2.9 million people affected by a data theft incident at Harvard Pilgrim healthcare that was discovered a year ago. The breach occurred during a March ransomware attack on systems related to the health service company’s commercial and Medicare Advantage plans. Sensitive personal information including names, addresses, phone numbers, social security numbers, and clinical data was compromised. Harvard Pilgrim has sent notification letters to the victims and has been updating the number of people affected over the months. The company is offering credit monitoring and identity protection services, although there is no indication that the stolen data has been misused as of yet. The investigation is still ongoing, and Harvard Pilgrim will continue to notify additional affected individuals as more information is uncovered. In parallel, Sellafield Ltd faces prosecution for cybersecurity failures, and TheMoon botnet targets end-of-life SOHO routers, with more than 40,000 systems compromised worldwide.

The Indian government successfully repatriated around 250 citizens from Cambodia who were coerced into conducting cyber scams. These individuals were deceived by job offers but ended up trapped in illegal cyber activities and cyber slavery. Efforts are ongoing with Cambodian authorities to dismantle the recruitment networks accountable for this fraud. Investigations reveal the alarming scale of human trafficking-fueled fraud, with thousands of Indians exploited. Scammers, particularly in pig butchering scams, create romantic illusions to swindle victims out of funds through phony cryptocurrency investments. Some victims were freed after their families paid ransoms; scammers garner significant crypto inflows, often through sophisticated techniques to bypass security measures. Recent research has highlighted the exploitation of cryptographic functions in Ethereum called CREATE2, allowing scammers to evade detection and steal cryptocurrencies.

US Congress is considering a bill that could ban TikTok unless its Chinese parent company, ByteDance, divests it. The bill, which has passed the House, stipulates that ByteDance would have 180 days to sell TikTok after enactment. Former White House CIO Theresa Payton suggests that tech companies should prepare for a worst-case scenario ban. If the bill is signed into law, US internet service providers, app stores, and social networks might face new restrictions related to TikTok. Payton warns of potential diplomatic tensions, with China possibly retaliating against American companies operating there. Advocates for a US national privacy law, arguing it could alter the context of issues surrounding foreign ownership of app data. The absence of such a federal privacy law in the US creates additional challenges in managing international data access.

AT&T verified the authenticity of a dark web data dump impacting over 73 million current and former customers. The telco company acknowledged the leaked data may include names, addresses, social security numbers, account details, and passcodes. Initial assessments suggest that the compromised data primarily dates back to 2019 or earlier, with investigations ongoing to determine the source. While there is currently no evidence of unauthorized system access, the origin of the data remains unclear, with potential ties to AT&T or its vendors. The incident resembles the data ShinyHunters cybercrime group claimed to have in 2021 and offered for sale, though AT&T previously denied ownership. AT&T has not confirmed if the 2021 and 2023 data sets are identical, raising concerns about the potential exposure of additional customer records. Questions have been posed to AT&T to provide further clarity on the breach, with updates pending.

Organizations continue to face significant threats from ransomware and other malware, impacting the economy and national security. Underfunded IT departments in small and mid-sized businesses struggle to combat malware due to complex and expensive enterprise security solutions. EventSentry offers more robust visibility into network activities by validating audit settings and monitoring endpoints, thereby improving malware detection capabilities. The article emphasizes the necessity of a layered defense strategy, integrating prevention, detection, and discovery to effectively combat malware. EventSentry aids in every stage of a malware attack by providing extensive inventory monitoring, managing patch levels, and validating settings for increased endpoint security. The solution's validation scripts run over 150 checks on endpoints, enhancing security by identifying suspicious settings that may indicate a malware infection. EventSentry's feature set encourages the consolidation of monitoring tools, leading to better integration and higher return on investment for organizations. The article concludes that comprehensive monitoring tools such as EventSentry are crucial for safeguarding complex Windows-based network infrastructures against advanced threats.

Android apps on Google Play turned into residential proxies by malicious actors, unbeknownst to users. Security team HUMAN's Satori has named this operation PROXYLIB, with 29 discovered apps now removed by Google. Residential IP addresses from infected phones were sold for nefarious activities, masking attackers' origins. Threat actors trick users into installing seemingly legitimate VPN apps, creating a botnet for profit. Inclusion of a Golang library and LumiApps SDK between May and October 2023 enabled infected devices to join the proxy network. LumiApps SDK offered to developers for app monetization, unknowingly enrolling apps into a botnet. The threat actor behind PROXYLIB may be selling proxy network access; botnet's SDK widely promoted on social media and forums. The issue aligns with similar botnet activities on outdated SOHO routers and IoT devices as disclosed by Lumen Black Lotus Labs.

The notorious Vultur Android banking trojan has returned with new capabilities, including improved remote control functions and evasion techniques. Cybersecurity researchers at NCC Group report that Vultur now encrypts Command and Control (C2) communications and masquerades as legitimate apps to avoid detection. Originally discovered in early 2021, Vultur exploits Android’s accessibility services to carry out its attacks, and while primarily distributed through the Google Play Store, it now also uses SMS and phone calls. The malware leverages a dropper-as-a-service operation named Brunhilda and a technique known as telephone-oriented attack delivery (TOAD) to distribute an updated version disguised as a McAfee Security app. It employs three payloads that secure permissions, facilitate remote access via AlphaVNC and ngrok, and execute commands from the C2 server for extensive device control. Advanced features of Vultur allow it to perform clicks, scrolls, swipe gestures, and file management; it can block apps, display custom notifications, and disable lock screen security. Parallel findings highlight the conversion of the Octo (Coper) Android banking trojan into a malware-as-a-service operation with capabilities of keylogging, intercepting messages, and remote device control, affecting 45,000 devices worldwide. Additional campaigns in India have been identified distributing malicious APKs related to online services as part of a malware-as-a-service offering targeting confidential banking and personal information.